summaryrefslogtreecommitdiff
path: root/commit.c
diff options
context:
space:
mode:
authorbrian m. carlson <sandals@crustytoothpaste.net>2013-07-04 17:19:43 +0000
committerJunio C Hamano <gitster@pobox.com>2013-07-04 21:45:18 -0700
commit28110d4bfc613d875231d3d7788500d876136ffc (patch)
treea67b9e74f1df050de67d2026ec56a03c93709cbd /commit.c
parent81a199bb1cd483321962a7bfe5db33980bbf0f01 (diff)
downloadgit-28110d4bfc613d875231d3d7788500d876136ffc.tar.gz
commit: reject invalid UTF-8 codepoints
The commit code already contains code for validating UTF-8, but it does not check for invalid values, such as guaranteed non-characters and surrogates. Fix this by explicitly checking for and rejecting such characters. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'commit.c')
-rw-r--r--commit.c27
1 files changed, 22 insertions, 5 deletions
diff --git a/commit.c b/commit.c
index 888e02ae2f..b140af7e44 100644
--- a/commit.c
+++ b/commit.c
@@ -1244,6 +1244,7 @@ static int find_invalid_utf8(const char *buf, int len)
while (len) {
unsigned char c = *buf++;
int bytes, bad_offset;
+ unsigned int codepoint;
len--;
offset++;
@@ -1264,24 +1265,40 @@ static int find_invalid_utf8(const char *buf, int len)
bytes++;
}
- /* Must be between 1 and 5 more bytes */
- if (bytes < 1 || bytes > 5)
+ /*
+ * Must be between 1 and 3 more bytes. Longer sequences result in
+ * codepoints beyond U+10FFFF, which are guaranteed never to exist.
+ */
+ if (bytes < 1 || 3 < bytes)
return bad_offset;
/* Do we *have* that many bytes? */
if (len < bytes)
return bad_offset;
+ /* Place the encoded bits at the bottom of the value. */
+ codepoint = (c & 0x7f) >> bytes;
+
offset += bytes;
len -= bytes;
/* And verify that they are good continuation bytes */
do {
+ codepoint <<= 6;
+ codepoint |= *buf & 0x3f;
if ((*buf++ & 0xc0) != 0x80)
return bad_offset;
} while (--bytes);
- /* We could/should check the value and length here too */
+ /* No codepoints can ever be allocated beyond U+10FFFF. */
+ if (codepoint > 0x10ffff)
+ return bad_offset;
+ /* Surrogates are only for UTF-16 and cannot be encoded in UTF-8. */
+ if ((codepoint & 0x1ff800) == 0xd800)
+ return bad_offset;
+ /* U+FFFE and U+FFFF are guaranteed non-characters. */
+ if ((codepoint & 0x1ffffe) == 0xfffe)
+ return bad_offset;
}
return -1;
}
@@ -1292,8 +1309,8 @@ static int find_invalid_utf8(const char *buf, int len)
* If it isn't, it assumes any non-utf8 characters are Latin1,
* and does the conversion.
*
- * Fixme: we should probably also disallow overlong forms and
- * invalid characters. But we don't do that currently.
+ * Fixme: we should probably also disallow overlong forms.
+ * But we don't do that currently.
*/
static int verify_utf8(struct strbuf *buf)
{